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Abstract. Nominal abstract syntax is an approach to representing names and binding 
pioneered by Gabbay and Pitts. So far nominal techniques have mostly been studied 
using classical logic or model theory, not type theory. Nominal extensions to simple, 
dependent and ML-like polymorphic languages have been studied, but decidability and 
normalization results have only been established for simple nominal type theories. We 
present a LF-style dependent type theory extended with name-abstraction types, prove 
soundness and decidability of /3r;-equivalence checking, discuss adequacy and canonical 
forms via an example, and discuss extensions such as dependently-typed recursion and 
induction principles. 



Nominal abstract syntax, introduced by Gabbay and Pitts [101 [281 122] , provides a relatively 
concrete approach to abstract syntax with binding. Nominal techniques support built- 
in alpha-equivalence with the ability to compare names as data, but (unlike higher-order 
abstract syntax [IJJ [261 [23]) do not provide built-in support for substitution or contexts. 
On the other hand, definitions that involve comparing names as values are sometimes easier 
to define using nominal abstract syntax, and both single and simultaneous substitution can 
be defined easily as primitive recursive functions over nominal abstract syntax (see e.g. [H 
El [30] ) . Thus, nominal abstract syntax is an alternative approach to representing languages 
with bound names that has different strengths and weaknesses compared to higher-order 
abstract syntax. 

Historically, one weakness has been the absence of a clean type-theoretic framework for 
nominal abstract syntax, paralleling elegant frameworks such as LF [Hj, AProlog |23| . and 
more recently Delphin [32] and Beluga [27]. Some previous steps have been taken towards 
nominal type theories sufficient for reasoning about nominal abstract syntax [371 El I5U1 
H2], but as yet a full dependent type theory equipped with metatheoretic results such as 
decidability of typechecking has not been developed. 

In this article, we take a step towards such a nominal type theory, by extending a 
previously-developed simply typed calculus [5] with dependent types, roughly analogous to 
the LF system (though with some different modes of use in mind). We call our system A™, 
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v : name, e : type. 

var : v — > e. app : e — > e — > e. lam : ((v)}e — > e. 



Figure 1: Lambda-calculus syntax in A 
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Figure 2: Alpha- inequality in A 
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or dependent nominal type theory. A™ provides simple techniques for encoding judgments 
that depend on name-distinctness and can be soundly extended with recursion combinators 
useful for defining functions and proofs involving nominal abstract syntax. Because A 1 ™ 
lacks built-in support for substitution over nominal abstract syntax, it should so far be 
viewed as a step towards dependently-typed programming and reasoning with nominal 
features and not as a self-contained logical framework like LF. For example, our approach 
could serve as a starting point (or domain-specific embedded language) for dependently- 
typed programming with names and binding within systems such as Agda or Coq based 
on constructive type theories, as advocated by Licata et al. [19], Westbrook et al. [42], or 
Poulliard and Pottier [33] . 

We add names a, b, . . ., name types a, and a dependent name- abstraction type construc- 
tor \Aa:a.B to LF, which is introduced by abstraction ((a)M) and eliminated by concretion 
(M@a). The abstraction term can be viewed as constructing an a-equivalence class that 
binds a name; the concretion term instantiates the name bound by an abstraction to a fresh 
name a. This freshness requirement ensures that no two (syntactically) distinct names can 
ever be identified via renaming, so it is possible to reason about inequalities among names 
in A 1 ™. Moreover, this restriction justifies a semantic interpretation of name and name- 
abstraction types in A 1 ™ as names and name-abstraction constructions in nominal logic, 
which in turn justifies adding recursion combinators that can be used to define functions 
on and reason about inductively-defined types with name-binding within A . 

Example. As a simple example of a relation that is easily definable in A™, but cannot as 
easily be defined in LF, consider the signature in Figure [T] and alpha-inequivalence relation 
defined in Figure [2] (The notation ({v))e stands for the non-dependent name-abstraction 
type \Aa:v.e.) The key rules are neq-V-V and neqJJ; several other symmetric rules are 
omitted. Both rules use the M-quantifier to generate fresh names. The type of neq-V-V states 
that two variables are alpha-inequivalent if their names are distinct. The type of neqJJ 
states that two lambda-abstractions are alpha-inequivalent if their bodies are inequivalent 
when instantiated to the same fresh name a. We discuss this example further in Section [5] 
and Section [7l 
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Contributions. The main contribution of this article is the formulation of A and the 
proof of key metatheoretic properties such as decidability of typechecking, canonicalization, 
and conservativity over LF. At a technical level, our contribution draws upon Harper and 
Pfenning's proof of these properties for LF [15], and we focus on the aspects in which A 
differs from LF, primarily having to do with the treatment of name-abstraction types and 
concretion via the restriction judgment. 

Outline. The structure of the rest of this article is as follows. Section [2] discusses additional 
related work. Section [3] presents the A™ type theory, along with basic syntactic properties. 
Section H] develops the metatheory of A . Section [5] considers canonical forms and adequacy 
of representations of nominal abstract syntax in A via a standard example. Section [U] 
discusses several examples and extensions such as recursion combinators. Section [7] contrasts 
A™ with closely related systems. Section [8] discusses future work and concludes. 



Typed programming languages and type theories incorporating nominal features have al- 
ready been studied [391 E3 EHJ E21 H] • As in some previous work [371 E3 SI] , we employ 
bunched contexts [25] to enforce the freshness side-conditions on concretions. Specifically, 
following |5], we employ an explicit context restriction judgment in order to prevent ref- 
erences to the name a within M in a concretion M@a. Previously [5], we proved strong 
normalization for a simple nominal type theory by translation to ordinary lambda-calculus. 
Here, we prove completeness of a /3r/-equivalence algorithm more directly by adapting Harper 
and Pfenning's logical-relations proof for LF [15] . The restriction judgment is used essen- 
tially in the modified logical relation. 

Schopp and Stark [371 EE] an d Westbrook et al. [HI |32] have considered richer nominal 
type theories than A 1 ™. However, Schopp and Stark did not investigate normalization or 
decidability, whereas Westbrook proves /3-normalization for a "Calculus of Nominal Induc- 
tive Constructions" (CNIC) by a (somewhat complex) translation to ordinary CIC [41] : our 
logical-relations proof handles /3ry-equivalence and seems more direct but does not deal with 
inductive types or polymorphism. Westbrook et al. are developing an implementation of 
CNIC called Cinic 021. 



Pitts |30[ [31] has recently investigated a "Nominal System T" that extends simple nom- 
inal type theory [5] with locally-scoped names (^-expressions) and recursion over lambda- 
terms encoded using nominal abstract syntax. Strong normalization modulo a structural 
congruence is proved via normalization-by-evaluation. An extended version of this work |31j 
is different in some ways, and gives an alternative proof of /3-normalization. Both techniques 
draw on Odersky's A^-calculus [23] . 

In Pitts' approach, contexts are standard and do not incorporate freshness assertions, 
but as a result there are "exotic" terms such as va.var a : e, which do not correspond to 
any object language term and complicate the argument for adequacy. Nevertheless, Pitts' 
approach is an interesting development that may lead to a more expressive and flexible 
facilities for dependently-typed programming with nominal abstract syntax. However, as 
discussed in Section [7J there are potential complications in pushing this approach beyond 
simple n-types. 

Our approach also bears some similarity to work on weak higher-order abstract syntax, 
primarily employed in constructive type theories such as Coq [9, 8l [38] . Here, in contrast to 



2. Related work 




1 



J. CHENEY 



ordinary higher-order abstract syntax the idea is to use a different, atomic type for binders 
via a function space v — > e. The type v can be an abstract type with decidable equality; 
this makes it possible to define the type of expressions inductively, but primitive recursion 
over weak HOAS is not straightforward to incorporate into Coq. This approach has been 
formalized as a consistent extension called the Theory of Contexts |17} [3] , and this theory 
has been related to nominal abstract syntax by Miculan et al. |21| . 

There has also been recent work on techniques for recursion over higher-order abstract 
syntax. Pientka [27] . Poswolsky and Schiirmann [32], and Licata et al. [19] have developed 
novel (and superficially different) techniques. Schiirmann and Poswolsky's approach seems 
particularly similar to ours; they distinguish between variables and parameters (names), 
and use ordered contexts with a restriction operation similar to ours. Each of them is 
considerably more complicated than A™, while sharing the advantages of higher-order 
abstract syntax. Poulliard and Pottier |34] recently proposed an interface in Agda which can 
be implemented either using nominal terms or de Bruijn terms. This approach may provide 
a starting point for encoding a A^-like language in Agda or Coq, analogous to Harper 
and Licata's embedding of higher-order abstract syntax. It is a compelling open question 
how to relate these techniques to nominal techniques (and to each other). Developing such 
encodings for nominal and various higher-order approaches in a common metalanguage 
could be a way to compare their expressiveness. 

3. Dependent Nominal Type Theory 

The syntax of A is a straightforward extension of that of LF. We fix countable, disjoint 
sets of variables x,y, names a,b, object constants c,d, type constants a, 6, and name-type 
constants a, /3. The syntactic classes comprise objects, type families (or just types) which 
classify objects, and kinds which classify types. The syntax of A™ kinds, types, and objects 
is as follows: 

K ::= type | Ux:A.K 
A, B ::= a \ A M \ Ux.A.B \\ a \ lAa.a.B 

M,N ::= c\x\ Xx:A.M \ M N || a | (a:a)M | M@a 

We omit type-level lambda-abstraction, as it complicates the metatheory yet does not add 
any expressive power to LF [11] . The new syntactic cases of A™ are distinguished using 
two parallel bars (||). As in LF, kinds include type, the kind of all types, and dependent 
kinds Ux:A.K that classify type families. Types include constants a, applications A M 
of type constructors to term arguments, and dependent types Hx:A.B. Name-types a are 
constants and thus cannot depend on objects. We include a dependent name-abstraction 
type constructor, V\a:a.B, where a must be a name type. Terms include term constants 
c, variables x, applications M N, and A-abstractions Xx:A.M as in LF. In addition, terms 
include names a, name- abstractions (a:a)M, and name- applications M@a (also known as 
concretions). Note that the name argument of a concretion must be a literal name, not 
an arbitrary term. We adopt the same precedence conventions for abstractions and con- 
cretions as for A-abstraction and application. For example, (a:a)M@a = (a:a)(M@a), not 
((a:a)M)@a. 

The II type constructor and A term constructor bind variables in the usual way. The 
\Aa.a.B type constructor and (a:a)M term constructor bind the name a in B or M respec- 
tively, so are subject to a-renaming. The functions FV{— ) and FN{—) compute the set of 
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Figure 3: Substitution application and composition 



free variables or free names of a kind, type, or object; we write FVN(— ) for FV(— )L)FN(— ). 
As in LF, when x ^ FV(B), we write Hx:A.B as the function type A — > B; similarly, if 
a ^ FN(B), we write \Aa.a.B as the name-abstraction type {{a))B. We employ simultaneous 
substitutions 9 of the form 

9::=-\ 9,M/x | 0,a/b 

By convention, a substitution assigns at most one expression/name to each variable/name. 
We write 9(x) or 9(a) for the expression which 9 assigns to x or a respectively. Simultaneous 
substitution application M[9] is defined in Figure [3j 

As in LF, the language of constants used in a specification is described by a signature 
assigning (closed) kinds to type constants and (closed) types to object constants. The 
contexts T used in A™ are also similar to those of LF, except that bindings of names 
introduced by M are written T#a:a, to indicate that such names must be "fresh" for the 
rest of the context: 

E ::= • | S,c:^4 | Y,,a:K \\ E, a:name 
T ::= -|r,x:>l || T#a:a 

By convention, the constants and variables on the left-hand side of ':' in a signature or 
context are always distinct. This implicitly constrains the inference rules. 

We extend Harper and Pfenning's presentation of the LF typing and equality rules |15j . 
All judgments except signature formation are implicitly parametrized by a signature X. We 
omit explicit freshness and signature or context well-formedness constraints. 

The well-formedness rules of A are shown in Figures HH3 The additional definitional 
equivalence rules of A™ are shown in Figure El We omit the standard definitional equiv- 
alence rules of LF; we add a type-level extensionality rule that was omitted from Harper 
and Pfenning's presentation but is admissible |40j . The new rules define the behavior of 
names and name-abstraction or l/l-types. The M-type formation rule is similar to the n-type 
formation rule, except using the T#a:a context former. The rule for name-abstraction is 
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h K : kind h E sig ■ \- A: type h S sig h E sig 



h • sig hE,a:ll~sig hE,c:Asig h E, a:name sig 

rHi: type h T ctx q : name G £ h T ctx 

h • ctx hr,x:^4ctx h T#a:a ctx 

Figure 4: X U]A well-formedness rules: signatures, contexts 

r h A : type T, x:Ah K : kind . , 
type.k — 

T 1 l_ TT™. 4 IX" . 1. *„ J " - 



Th type: kind ^" r h IIx:Air : kind 

Figure 5: A™ well-formedness rules: kinds 
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Th A: type T, type r h A : fl 7 r h if = iT : kind 
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1 ha: type 1 h Ha:a.ij : type 

Figure 6: A well-formedness rules: type families 
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Th c: A ~ Th x : A ~ rha:a 
Th A: type T, x:A h M : B T h M : He:A.B r h jV : A 

T h \x:A.M : Ux:A.B lam -° T h M N : B[N/x] 

a : name G E T#a:a h M : B ( r h a:a \ T' T' h M : V\a:a.B 

rh (a:a)M : V\a:a.B abs "° r h M@a : B COnC_ ° 

Figure 7: A™ well-formedness rules: objects 

r h a:a \ V Th a:a \ T' 
res_id ^ ,,, » , , ^, „, „ res_nm — — — res.var 



r#a:aha:a\r T#b:/3 h a:a \ r'#b:/3 " r, x:A h a:a \ T' 

-a = - (e,M/x)-a = 6-a (6,a'/a)-a = 9 (0, b'/b) - a = (9 - a), b'/b 

Figure 8: Context and substitution restriction 



similar. In the rule for concretion, the name at which the abstraction term is instantiated 
is removed from the context using a context restriction judgment T h a:a \ T' , shown in 
Figure [H This judgment states that a : a is bound in T and T' is the result of removing 
the name a from T, along with any variables that were introduced more recently than a. 
For technical reasons, we also need a substitution restriction operation 6 — a, also shown in 
Figure El 

The use of an explicit context restriction judgment is a key difference between A™ 
and other systems that use bunched contexts, such as Schopp and Stark's system [37] 
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r, x : B h At x = A 2 x : K T#a:a h A = B : type 

T \- Ai = A 2 : Ux : B.K T h \Az:a.A = \Aa:a.B : type eq - ne 

a:a € T 



T h a = a : a 



eq_nm 



T#a:a hM = JV:i rhb:a\r' T'hM = iV: |/la:a.A 

eq_abs — — — — — eq_conc 



r h (a:a)M = (a:a)N : \Aa:a.A ~ T h M@b = N@b : A[b/a] 

r h b:a \ V T'#a:a hM = JV:i r#a : a h M@a = iV@a : A 

rh((a=a)M)@b = jV[b/a]:A[b/a] e q- nm - beta T \- M = N : V\a:a.A eq -" m ^ ta 

Figure 9: New definitional equivalence rules of A™ 

or O'Hearn and Pym's Logic of Bunched Implications [25J. In those theories, context 
conversion steps can be performed nondeterministically at any point. This complicates 
equivalence-checking in the presence of dependent types, because we have to be careful to 
ensure that context conversion steps do not make the context ill- formed. In A™, we con- 
strain the use of bunched contexts so that standard typechecking and equivalence algorithms 
for LF can be re-used with minimal changes. 

We consider a substitution to be well-formed (written r h 8 : V) when it maps the 
variables and names of some context V to terms and names well-formed with respect to 
another context T, while respecting the freshness requirements of V. This is formalized as 
follows: 

rh^r' r\-M-.A[e) rha:a\r" r"h0:r' 

r h • : • r h 6,M/x : Y\x:A r h 0,a/b : r'#b:a 

In addition, we consider a context V to be a subcontext of T (written r' -< T) if T h idr' : T' 
holds, where idr' denotes the identity substitution on context T'. Note that, for example, 
■,x:A#a:a X -#a:a, x:A holds but not the converse, because the former context guarantees 
that a is fresh for x and the latter does not. 

We employ a number of standard metatheoretic results about LF, which extend to A™ 
without difficulty We next summarize some basic metatheoretic properties of A™. Let 
J range over well-formedness assertions K : kind, A : K, M : A or equality assertions 
K = K' : kind, A = A' : K , M = M' : A. 

Lemma 3.1 (Determinacy of restriction). If T h a:a \ T\ and T h a:a \ T 2 then T\ =T 2 - 

Proof. Straightforward induction on the first derivation using inversion on the second. □ 

Lemma 3.2 (Restriction implies weakening). IfT\- a:a \ V then T'#a:a ^ T. 

Proof. Straightforward, by induction on the structure of derivations. □ 

Lemma 3.3 (Weakening). Suppose V y V. Then (1) IfT h a:a \ T then V h a:a \ T' Q 
for some T' Q t T . (2) IfT\-J then V h J. 

Lemma 3.4 (Substitution restriction). IfT'\-0:T and T h a:a \ T then V h 6 (a): a \ T' Q 
and T'q h 9 — a : Tq for some T' . 

Lemma 3.5 (General Substitution). Assume T h J and V h 9 : T. Then V h J\9\. 
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Proof. The cases for existing LF rules are straightforward. Of the new cases, only the rule 
for concretion is interesting. Suppose we have 

r h b:a \ T T h M : \Aa:a.B 
r h M@b : B[b/a] 

Then by assumption, we have V \- 6 :T. Using Lemma 13.41 on T>\, we have V h b[#]:a \ T' 
and T' Q h 9 - b : T for some T' Q . Thus, by induction, r' h M[9 - b] : (V\a:a.B)[9 - b] and 
by definition, T' Q h M[# — b] : Ma:a.I?[# — b]. Moreover, we may derive 

T' h b[6]:a \T' Q T' h Af [0 - b] : l/la:a.5[# - b] 
r h M[0 - b]@b[6] : B[9 - b][b[0]/a] 

To conclude, we observe that AT[0 - b] = Af[0] and £[0 - b][b[0]/a] = B[b/a][0] since 
the extra variables and names mentioned in 9 cannot be mentioned in M or B. So r' h 
(M@b)[0] : B[b/a][9]. □ 

Corollary 3.6 (Substitution). IfThM : A and T,x:A h J, then T h J[M/x). 

Proof. Follows from Lemma 13.51 using 9 = \dr,M/x, which is easily seen to satisfy T h 
\d r , M/x :T,x:A. □ 

Corollary 3.7 (Renaming). IfF h a:a \ T' and r'#b:a h J, i/ten T h Jfa/b]. 

Proof. Follows from Lemma [3. 51 using 9 = idp, a/b, which satisfies T h idr', 3/b : T'#b:a. □ 

As an initial check that these rules are sensible, we verify the local soundness and com- 
pleteness properties expressing that typability is preserved by /3-reduction and n-expansion 
steps. For /3-reductions of name-abstractions, given 

r'#a:a h M : B(a) 

r h b:a \ r' r' F (a:a)M : V\a:a.B{a) 

r F «a:a)M)@b : B{b) 

we conclude that V h M[b/a] : -B(b) by Corollary 13 .71 For n-expansion of name-abstractions, 
given a derivation of T h M : \Aa:ct.B, and a T, we can expand to: 

r#a:aha:a\r T h M : V\a:a.B 
r#a:a F M@a : £ 
T F (a:a)M@a : Ma:a.S 

As further examples of the properties of A™, observe that for any A, B with a FN(B) 
we have "weakening" and "exchange" properties for 1/1: 

h Ax:B.(a:a)x : B — > V\a:a.B , 

h Xx:(V\a:a.V\b:/3.A).{b:/3){a:a)x@a@b : V\a:a.V\b:f3.A -> Mb:/3.Ma:a.^ . 

We might expect an inverse "strengthening" property, that is, V\a:a.B -4 -B, but this does 
not hold in general. The following derivation gets stuck because there is no name a to which 
to apply x: 

x:V\a:a.B h?? : B 
h Ax:(Ma:a.S).?? : \Aa:a.B -4 £ 

This makes sense, semantically speaking, because for example there is no equivariant func- 
tion from the nominal set (A) A to A (where A is a set of names). We will not develop a 
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nominal set semantics of A here, but such a semantics was developed for a simply-typed 
calculus in [5]. 

There are natural functions that are definable in the nominal set semantics that are not 
definable in A™. Suppose we have a function h : A x X ^ Y such that for any name a, if 
a is fresh for x then a is fresh for h(a,x). Then, as discussed by Pitts [29], we can define a 
function h! : {A)X — > Y satisfying h(a,x) = h'((a)x). (This function is obtained by lifting 
h to equivalence classes of name-abstractions; the freshness condition for h is sufficient to 
ensure that h respects a-equivalence classes.) 

As a simple example, suppose for the moment we include a standard option type and 
consider the function g' : (A)A —> A option defined by 

, . _ j NONE a = x 
5(a,xj - | S0ME ^ a ^ x 

This function lets us test whether an abstraction is of the form (a)a, and if it is not, 
extracts the body. We have a # x implies a # g(a,x), but g' cannot be defined as a A™ 
term N : (a)a — > a option. As another example, consider the function k' : (A)N — > N 
obtained from k(a,n) = n. We can obviously define a natural number type not in A , but 
we cannot define a A™ function M : ((a))nat — > not satisfying M((a)n) = n. 

In A™, we currently have no general way to define such functions, and it is not im- 
mediately obvious how to accommodate them. One possibility might be to add a term 
constructor va:a.M with well-formedness rule: 

T#a:a h M : A "a fresh for M" 
r h va\a.M : A 

Roughly this approach (without the freshness side-condition) is taken in a simply-typed 
calculus called Nominal System T [Si)\ 13 lj . However, there are significant complications 
with incorporating this approach to name-restriction into a dependent type theory, explored 
further in Section [71 

In addition to the basic results presented so far, we need to establish a number of 
straightforward properties for A™, including validity, inversion, and injectivity for II and 
l/l. These properties (and their proofs) are essentially the same as for LF as given in [151140] 
and are omitted. 



4. Equivalence and canonical forms 

In this section we show that the definitional equivalence and well-formedness judgments 
of A™ are decidable. In previous work [5], we showed strong normalization for a simply- 
typed lambda calculus with names and name-abstraction types by translating name-types 
to function types and re-using standard results for the simply-typed lambda calculus. Here, 
we prove the desired results directly, based on Harper and Pfenning's decidability proof [IS] • 
Harper and Pfenning's approach is based on an algorithmic equivalence judgment that 
weak head-normalizes LF terms. The judgment only tracks simple types r for variables 
and terms may not necessarily be well-formed. The algorithm is shown sound and complete 
for well-formed LF terms with respect to the definitional equivalence rules. Soundness is 
proved syntactically, whereas completeness involves a logical relation argument. The logical 
relation is defined by induction on the structure of simple types. 
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M N ^ M' N (Ax : AM) N ^ M[N/x] M@a ^ N@a ((a:a)Af)@b ^ M[b/a] 

Figure 10: Weak head reduction 

M ^ M' A h M' & N : oT N ^ N' A h M O N' : oT 



A h M ^ N : a" A h M ^ JV : a" 

A h M o N : a" A, x : n h M x <=> TV x : t 2 A#a:q h M@a O iV@a : r 
AhM«JV:(i _ AhM^JV:ri->r 2 A h M iV : (q)r 

x:t € A c:A € S a:a £ A 

A h x •<->■ x : r Ahcffc:^ Ahaf>a:a 
A 7 h Mi <-> JVi : ti -> r 2 A h M 2 g iV 2 : n A h a:q \ A' A / h M g N : (q)r 
A h Mi M 2 « JVi JV 2 : t 2 Ah M@a o iV@a : r 

Figure 11: Algorithmic and structural equivalence rules for objects 

AhAfffi: type" A,rrhii»Bi:K 
AhA»B: type" A\-A^B:t^k 
A h ii » Bi : type" A, x : h ,4 2 ^ B 2 : type" A#a:q h B ^ B' : type - 



A h Ux-.Ax.A^ O Ilx:5i.5 2 : type" A h \Aa:a.B ^ \Aa:a.B' : type" 

a:-^ £ g a : name g S Ahi^E:r^K AhM^jV :r 

A h a a : if" AFaoa: type" AhAMoBJV:ft 

Figure 12: Algorithmic and structural equivalence rules for types 

A\- A<^ B : type" A,x : A~ \- K <^ L : kind" 



A h type type : kind A h EtonAif 44> IIx:i?.L : kind 

Figure 13: Algorithmic equivalence rules for kinds 

We extend their simple types and kinds with name- abstraction types as follows: 

r ::= a~ | r — > r' || (q)T | a k ::= type" | r — > k 

and extend the erasure function by defining (q)~ = a and (Ma:q.A)" = (q) A~ . We consider 
simple contexts A mapping variables to simple types. We extend the weak head reduction 
and algorithmic equivalence judgments with rules for names and name-abstractions (Fig- 
ure [TT1) , Also, we define a restriction judgment A h a:q \ A' for simple contexts; its 
definition is identical to that for dependently-typed contexts and so is omitted. 

There are a number of additional properties of erasure and algorithmic equivalence 
that are needed for the following soundness and completeness results, but again these are 
essentially the same as in |15l I40j so are omitted. 
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4.1. Soundness. The proof of soundness is syntactic. Note however that we include a rule 
for type-level extensionality, avoiding a subtle problem in Harper and Pfenning's presenta- 
tion (see [Ml sec. 3.4]). 

Theorem 4.1 (Subject reduction). If T h M : A and M ^ M' then T b M = M' : A 
(and hence T b M' : A also). 

Proof. By induction on the derivation of M ^¥ M', with most cases standard. 



If the derivation is of the form: 



M@a ^ M'@a 

then by inversion we must have T b a:a \ I~" and I~" b M : l/lb:a.A' where V \- A = 
A'[a/b] : type. Hence, by induction we know that V \- M = M' : Hb:a.A', and we may 
derive 

r b a:a \ V V b M = M' : \Ab:a.A' 

r b M@a = M'@a : A'[a/b] T' b y4 = 4'[a/b] : type 

r b M@a = M'@a : A 

• If the derivation is of the form: 



((a:a)M)@b^M[b/a] 



then by inversion we must have T b b:a \ T' and V b (a:a)M : l/la:^.^', where T b 
^4 = ^4'[b/a] : type. Moreover, again by inversion we must have r'#a:a b M : ^4" where 
T'#a:a b j4' = A" : type. Thus, we may derive: 

r'#a:a b M : A" F'#a:a h A' = A" : type 
r'#a:a hM:i' 



T b b:a \ T r'#a:a hM = M:i' 

r b ((a:a)M)@b = M[b/a] : A'[b/a] 
Since T b A = vl'[b/a] : type, we can conclude T b ((a:a)M)@b = M[b/a] : A, as desired. 

□ 

Lemma 4.2 (Soundness of restriction). 7/r,ro are well-formed and T~ b a:a \ Tq i/ten 
r b a:a \ T . 

Proof. Straightforward induction on derivations. □ 



Theorem 4.3 (Soundness). 

(1) IfT- h M ^ N : A- andT b M,N : A then T h M = N : A. 

(2) If F~ \~ M N : t and V \- M : A and V \- N : B then T b A = B : type and 
T b M = N : A and A~ = r = B~ . 

Proof. By simultaneous induction on the derivations of T~ b M N : A~ and T~ htf O 
A?" : r. Again most cases are standard; we show the new cases only. 
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• If the derivation is of the form: 

a:a € V 
T~ h a a : a 

then we must have a:a G T so we can conclude that rha = a: type and r h a = a : a 
and = a - = a = a - = 

• If the derivation is of the form: 

r~#a:a h M@a <=> iV@a : r 
r~ h M ^ N : (a)T 

where A~ = (a)r, then without loss of generality we assume a is fresh for T,A,M,N. 
Then by inversion of erasure we must have A = \Ab:a.AQ f° r some Aq with Aq = r. 
Without loss of generality, assume that b is fresh for a,T,A,M,N. Moreover, we can 
easily show that T#a:a h M@a : Ao[a/b] and similarly for N. Then by induction, we 
know that T#a:a h M@a = N@a : Ao[a/b], hence we can derive 

T#a:a h M@a = N@a : A [a/b] 
r h M = N : ]Aa:a.A [a/b] 

Since A = V\b:a.A and a is sufficiently fresh, A is a-equivalent to Ma:a.^4o[ a /b], so 
r h M = N : A, as desired. 

• If the derivation is of the form: 

r - ha:a\r r„ hM^JV: (a)r 
F~ h M@a O N@a : r 

then we know that T h a:a \ To by the soundness of restriction. Moreover, by inversion 
we know that T h a:a \ Ti and T\\- M : V\a:a.AQ and r h Aq = A : type for some Ti, Aq, 
and similarly for N for some T2, Bq. By determinacy of restriction (Lemma 13. lj) we know 
that To = Ti = IV Hence, by induction we have that To h Ma:a.j4o = Ha:a.Uo : type and 
r Q h M = N : \Aa:a.A Q and (Ha:a.A ) _ = (a~)r = (\Aa:a.B y . It follows immediately 
that Aq = t = Bq . In addition, we have that To#a:a \- Aq = Bq : type by injectivity of 
H-type equality. 

To conclude, we can derive: 

r #a:a I- A = Bp : type 

rhAo = ff :type W Y h Bq = B : type 
rhi = -B: type 

where the inference labeled W is by weakening since we must have To#a:a ■< T by 
Lemma 13.21 Next, observe that by transitivity we have T \- A = B : type since T \- A = 
Aq : type holds. Finally, we can also derive: 

T h a:a \ T T h M = N : V\a:a.A Q 

r h M@a = iV@ a : j4 

This completes the proof. □ 
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A h M = N G [S\ A h M & N : <5 (5 £{a,a~}) 

A h M = N G [n ->■ t 2 \ VA' y A. A' h M' = N 1 G [n] =^> A' h M M' = N N' G [r 2 J 

A\- M = N £ l(a)r] VA", a, A' h A. A" h a:a \ A' A" h M@a = iV@a G [t] 

A h M = JV e [t] Ah9 = ffe[8] Ahb:a\A' A' h # = <r G [9] 



Ah- = -G[-] Ahff, M/x = a, N/x G [0, x:t} A\- 9, b/a = a, b/a G [9#a:a] 
Figure 14: Logical relation for objects and substitutions 

4.2. Completeness. The proof of completeness is by a Kripke logical relation argument. 
The logical relation is extended with a case for name-abstraction types in Figure HH We 
first state the key properties of the logical relations: 

Lemma 4.4 (Logical substitution restriction). Suppose that A h 9 = a G [r _ ] and T h 
a:a \ To- Then 9(a) = a (a) and there exists Aq such that A h 9(a):a \ Aq and Aq\- 9 — a = 
(r-aepo]. 

Proof. It is straightforward to show that 0(a) = cr(a) by induction on the first derivation. 
For the second part, the proof is by induction on the second derivation, using inversion and 
the definition of substitution restriction. □ 

Lemma 4.5 (Weakening). If A h M = N 6 [t] and A' ^ A i/ten A' h M = iV G [r] . 

Proof. By induction on r. The only new case is for name-abstraction types (a)r. Suppose 
A h Af = N e [(a)r] and A' ^ A. Let A", A'", a be given with A'" h a:a \ A" and 
A" y A'. Then by transitivity we have A" ^ A so by definition of the logical relation, 
A'" h M@a = N@a G [rj. Thus, we conclude that A' h M = N G [(a)r] by the definition 
of the logical relation. □ 

Lemma 4.6 (Symmetry). If A h M = N G [r] t/ien A h iV = M G [r]. 

Proof. The proof is by induction on types; we show the case for (ol)t. Assume A h M = 
N G {{a) t}, and let A", a, A' be given with A" h a:a \ A' and A' y A. Then by definition 
we have A" h M@a = N@a G [r] and by induction we have A" h N@a = M@a G [r] so 
we may conclude that A h iV = M G |r]. □ 

Lemma 4.7 (Transitivity). If A h M = N E [r] and A h iV = O G [r] t/ien AhM = 
0€[tJ. 

Proof. The proof is by induction on types; we show the case for (ck)t. Suppose AhM = 
N G [(a)r| and A h TV = O G [(a)r], and let A", a, A' be given with A" h a:a \ A' and 
A' y A. Then by definition we have both A" h M@a = N@a G [r] and A" h iV@a = 
0@a G [r] and by induction we have A" h M@a = 0@a G [t], so we may conclude that 
A h M = O G [rj . □ 

Lemma 4.8 (Closure under head expansion). J/M ^-4 M' and A h M' = G [r] iften 
A h Af = iV G [rj. 

Proof. The proof is by induction on types; we show the case for (a)r. Suppose M ^4 M' 
and A h M' = JV £ I(«>7"]. Let A", a, A' be given with A" h a:a \ A' and A' y A. Then 
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A" h M'@a = N@a G [r] by definition of the iogical relation. Moreover, we have that 

M —> M' implies M@a ^ M'@a. So, by induction we know that A" h M@a = iV@a G 
[r], and we may conclude A h M = N G [(a)r]. □ 

Lemma 4.9 (Identity substitution). For any T u>e /icwe T~ h idp = idp G [r - ]. 

Proof. Induction on the structure of V. The base case and variable case are standard. 
Suppose T = To#a:a. Then by induction, Tq h idr„ = idr G [Tgl- By weakening, we 
know that Tq #a:a h idr = idr £ Pq ] holds. Moreover, Tq #a:a h a:a \ Tq is derivable. 
Hence, we may conclude: 



r„ #a:a h a:a \ T Q #a:a h idr = idr G [Tp ] 

Tq #a:a h idr ,a/a = id ro ,a/a G |Tq #a:al 
This concludes the proof. □ 

We now state the main properties relating definitional and algorithmic equality and the 
logical relation. 

Theorem 4.10 (Logical implies algorithmic). 

(1) // A h M = N G [r] then A h M N : r. 

(2) IfAhM^N-.r then A h M = TV G [r] . 

Proof. By simultaneous induction on r. The new cases are those for r = (a)ro- 
(1) Suppose A h M = N G [(a)r]. Then we wish to show that AhM^iV: (a)r. Choose 
a fresh name a not present in A. Then we can immediately derive A#a:aha:a\ A, and 
obviously A ^ A, so by definition of the logical relation, A#a:a h M@a = iV@a G [r]. 
By induction, we have A#a:a h M@a 44> iV@a : r, so we may conclude: 



A#a:aha:a\A A#a:a h M@a » JV@a : r 
Ah M : (a)r 

(2) Suppose AhMoiV: (a)r. Let A', a, A" be given with A" h a:a \ A' and A' y A. 
Then we may derive: 

AhM^JV: (a)r 

W 



A" h a:a \ A' A'hMfiJV: (a)r 
A" h M@a <-> iV@a : r 

where the step labeled is by weakening using A ^ A'. Hence, the induction hypoth- 
esis applies and we have A" h M@a = N@a G [r], so we may conclude by definition 
that AhM = JVe I(a)r]. 
This completes the proof. □ 

Theorem 4.11 (Definitional implies logical). IfT\~M = N:A and A h 6> = a G [r~] 
i/ien A h M[0] = AT[<r] G {A'}. 

Proof. By induction on the definitional equality derivation. We show new cases involving 
new definitional equality rules. 
• If the derivation is of the form: 

— a,a - - — eq_nm 

T h a = a : a 

then it is immediate that T~ h a -£4> a : a and hence rha = adal. 
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If the derivation is of the form: 

T#a:a h M = N : A 



eq_abs 



T h (a:a)M = (a:a)N : \Aa:a.A 

then we wish to show that A" h ((a:a)M)[6] = ((a:a)N)[a] G [(a)^]. To prove this, 
suppose A', A", b are given with A" h b:a \ A' and A' y A. Using logical relation 
weakening, we have that A' h 6 = a G [r~J. So we may derive 

A" h b:a \ A' A' h 6 = a G [r~] 

A" h 9, b/a = a, b/a G [r-#a:al 

So by induction, we have A" h M[9, b/a] = iV[cr, b/a] G Moreover, 



((a:a)M)[fl]@b = {(a:a)M[9])@b ^ M[9][b/a] = M[9, b/a 



Similarly, 



((a:a)N)[a]@b = ((a:a)N[a])@b ^ N[a][b/a) = N[a, b/a] 



Hence, using Lemma $~E\ we can conclude that A" h ((a:a) M)[6]@b = ({a:a) N)[a]@b G 

[L4 - ]. Moreover, since A",A',b were arbitrary, we have that A" h ([a:a)M)[6] = 

((a:a}N)[a] G [(a)A~], as desired. 

If the derivation is of the form: 

r h b:a \ To T Q \- M = N : \Aa:a.A 
— - eq_conc 

T h M@b = N@b : A[b/a] 

then we wish to show that A h (M@b)[9] = (iV@b)[cr] G {A'} (noting that A[b/a]~ = 
A"). By Lemma 14.41 we know that 6(b) = <r(b) and there must exist Ao such that 
A h 9(b):a \ Aq and Aq \- 6 — b = a — bG {Fq ]. Moreover, by induction we have 
that A h M[6 - b] = N[a - b] G [{a)A~]. Observe that A #6(b):a h 9(b):a \ A is 
immediately derivable, and that Ao ^ Ao trivially holds. Thus, by definition we have 
A o #0(b):a h M[9 - b]@6(b) = N[a - b]@9(b) G {A'}. To conclude, we observe that 
M[6 - b]@9{b) = (M@b)[6\ and N[a - b]@9(b) = {N@b)[a\ since 9(b) = a(b), and in 
addition A #6(b):a X A so by weakening we have A h (M@b)[9] = (N@b)[a] G [^"1, 
as desired. 

If the derivation is of the form: 

r h b:a \ F r #a:a h M = N : A 
F h «a:a)M)@b = N[b/a] : A[b/a] ec l- nm - beta 

then we must show that A h (([a:a)M)@b)[6] = (iV[b/a])[er] G [,4~], again noting A~ = 
v4[b/a]~. Again using Lemma 14.41 we know that 9(b) = <r(b) and there must exist Ao 
such that A h 6(b): a \ Aq and Aq\- 6 — b = a — bG {Fq}. Moreover, we can derive 



A #g(b):a h 6(b):a \ A A h 6 - b = a - b G [Tj] 
A #6(b):a h(6- b),6(b)/a = (a - b),0(b)/a G [r„ #a:a] 
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and so, by induction, we have A o #0(b):a h M[9 - b, 6(b) /a] = N[a - b, 0(b) /a] G {A~}. 
Now we observe that: 

(((a:a)M)@b)[0] = «a:a)Af)[0]@b[0] 

= ((a:a)Af[0])@0(b) 

^ M[0][0(b)/a] 

= M[0-b][0(b)/a] =M[0-b,0(b)/a] 

and 

N[a-b,0(b)/a] = N[a - b] [0(b) /a] 
= N[a][a(b)/a] 
= N[b/a][a]. 

Hence, by Lemma B~8l and weakening Ao#0(b):a X A we can conclude A h (((a:a)M)@b)[0] 

N[b/a][a] G as desired. 

If the derivation is of the form: 

T#a:a h M@a = iV@a : A 

— eq_nm_eta 

r h M = N : V\a:a.A 

then we wish to show that A h M[9] = N[a] G [(a) A - ]. To prove this, let A', A", b be 
given such that A" h b:a \ A' and A' y A. We may then derive: 

A h 9 = a G [D 



A" h b:a \ A' A' h = cr G |T" 



A" h 0, b/a = a, b/a G [r~#a:a] 

where the step labeled VP is by logical relation weakening. So, by induction, we obtain 
A" h (M@ a )[0, b/a] = (N@a)[a,b/a] G [A - ]. Moreover, we calculate (M@a)[0,b/a] = 
M[0,b/a]@b = M[9]@b since a must not appear in M. Similarly, (N@a)[a, b/a] = 
iV[a]@b. We thus have A" h M[0]@b = N[a]@b G [A~], as desired to show A h 
M[&\=N[j]€[{a)A-]. 
This completes the proof. □ 

Theorem 4.12 (Completeness). IfT\- M = N : A then T~ h M N : A" . 

Proof. Immediate, combining Lemma 14.91 Theorem 14.111 and Theorem 14.101 □ 



4.3. Decidability, canonical forms and conservativity. Once we have established that 
algorithmic equivalence is sound and complete for well- formed terms, we can also ex- 
tend the algorithmic typechecking rules in Harper and Pfenning's system to handle name- 
abstractions and verify that all judgments are decidable: 

Theorem 4.13 (Decidability). All judgments of A™ are decidable. 

We say that a A™ expression is in canonical form if it is /3-normal and cannot be 
77-expanded without introducing a /3-redex. Canonical forms of A™ are similar to those for 
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atomic(A) 
atomic(a) atomic(A M) 

c:i£S x:A€T T \- M I M' : Tlx.A.B T h N f N' : A 
Thcic: A Thxix: A F h M N | M' N' : B[N'/x] 

a:aeT Tha:a\T' V h M I N : V\a:a.B 
r h a 4. a : a r h M@a | iV@a : 5 

r,x:ylhMxfriV:^ T#a:a h M@a fMVj_g 
r h M fr Az:AiV : IIx:A.B T h Mff (a:a)iV : Ma:a.^ 

r h M 4 2V : A atomic(A) M ^ M' V h W ft N : A atomic(A) 
T \- M f N : A ThMilN: A 

a:K€£ a:name € S £ h A j A' : rix:Aif T h M M' : A 
T\- aia:K T \- a I a : K T h A M I A' M' : iffM'/x] 

r h A I A : type r h A ft A : type T, a:A' h g f B' : type T#a:a h jj- : type 
Th Ai[ A' : type r h ILziAS fr Ux^A^B 1 : type r h Ha:a.£ ft V\a:a.B' : type 

r h A fr A': type T, a:^' h if fr if' : kind 
r I- type fr type : kind T h Ux:A.K fr Ux.A'.K' : kind 

Figure 15: Canonicalization 

LF, but can include name-abstractions and concretions. The following grammar describes 
the syntax of canonical and atomic forms: 

M c ::= Xx:A c .M c \ (a:a)M c \ M a 

M a ::= c I a I M a M c \ M a @a 

A c ::= a \ a \ A c M c \ Ux:A c .B c \ V\a:a.A c 

K c ::= type | Hx:A c .K c 

Note, however, that not all terms matching the above grammar are in canonical or atomic 
form; further typing constraints are needed to ensure full //-expansion. We give an inference 
rule system for canonicalizing object terms, which also implicitly gives the typing constraints 
that canonical forms must satisfy, in Figure [T5l In particular, the atomic(-) predicate is 
used to restrict weak head normalization and ensure only atomic forms whose type is an 
atomic type A Mi ■ ■ ■ M n can be considered canonical. 
We will show: 

Theorem 4.14 (Canonical forms). Assume that all the types and kinds in T, £ and A are 
in canonical form. Then: 

(1) IfT\~M:A then there exists a canonical P such that T h M fr P : A and T h M = 
P : A. 

(2) IfP' also satisfies T h M fr P' : A, then P = P' . 

(3) If r h M = N : A holds, then their canonical forms are equal. 

To show the canonicalization theorem, we first show the stronger property: 
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Lemma 4.15 (Algorithmically equivalent terms have common canonical forms). Assume 
that all types and kinds in S, T, A and B are in canonical form. Then: 

(1) IfThM:AandThN:BandT~hM^N:T then T h A = B : type and 
A~ = P~ = t and there exists P such that T h M | P : A and V h N | P : A. 

(2) If T \- M : A and T \- N : A and T~ \- M ■<=)> N : A~ then there exists P such that 
Th M ft P : A andTV- N ft P : A. 

Proof. By structural induction on the algorithmic derivations, using inversion and injectivity 
of products as appropriate. For the ordinary cases, we need the assumption that S, T, A, B 
are already canonical in order to ensure that type tags in M, N are compatible. We show 
the cases specific to A™: 

• If the derivation is of the form 

a:a € V 

then we must have that M = a = N and A = a = B and a:a G T, so we can conclude 
that r h q = a : type and derive 

a:a £ T a:a € T 

rha |a : a rha ja :a 

• If the derivation is of the form 

rha:a\A' A' h M <-» N : (q)r 

r~ h M@a o iV@a : r 

By inversion we have T h a:ai \ Ti and T\ \- M : V\a:ai.A\. Similarly, we have V h 
a:«2 \ r2 and r2 h iV : \Aa:a2-A2. Moreover we must have ct\ = at2 and V\ = T2] also, 
we must have Tq = A'. So, the induction hypothesis applies and we know that T\ h 
l/la^i.^i = \Aa:ct2-A2 : type and (l/la:ai.Ai) _ = (a)r = (l/la:^.^) - , which implies that 
ai = a = «2 and ^4]~ = r = ^4^. In fact, since A\ and A2 are in canonical form already, 
we must have A\ = A2. Furthermore, by induction we also have r h M \. P : I/Ia:a.j4i 
and r h iV 4- P '■ \Aa:a.Ai. To conclude, we may derive: 

rha:a\ri T 1 h M | P : Ma:a.^i 

r h M@a I P@a : ^1 
rha:a\ri r x h iV I P : \Az:a.A x 

r h 7V@a I P@a : A x 

• If the derivation is of the form 

r~#a:a h M@a g> 7V@a : r 
r~ h M ^ N : A- 

then we must have that A~ = (a)r for some a and r and so A must be of the form \Aa:a.B 
where B~ = r. Thus, we have derivation T~#a:a h M@a -£4> iV@a : P~. Moreover, we 
can derive T#a:a h M@a : P and T#a:a h iV@a : P. So by induction we have derivations 
T#a:a h M@a ft P : P and T#a:a h iV@a ft P : P, so we can conclude by deriving: 
r#a:a h M@a ft P : P r#a:a h iV@a ft P : P 

r h M ft (a:a)P : V\a:a.B rhJVf (a:a)P : \Aa:a.B 

□ 
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We also can easily show that canonicalization is sound with respect to definitional 
equivalence: 

Lemma 4.16 (Soundness of canonicalization). 

(1) If r h M I P : A then T h M = P : A. 

(2) IfTh M-fi P : A then V h M = P : A. 

We also need to show that the canonicalization judgment is deterministic: 

Lemma 4.17 (Determinism of canonicalization). 

(1) // r h M 1 P : A and F h M 1 P' : A' then P = P' and A = A'. 

(2) IfT h M \ P : A and V \- M ft P' : A then P = P' . 

Proof. By induction on derivations and inversion. □ 

The above lemmas imply the first and second parts of the Canonicalization Theorem. 
The third part follows by inspection of the rules for canonicalization, since if A and V are 
already in canonical form then any types that are copied into the result of canonicalization 
will also be canonical. 

Moreover, we can use the canonicalization rules for types and kinds shown in Figure [151 
to canonicalize S, T and A, so we have the following stronger result: 

Theorem 4.18. // S and T are in canonical form and T h M : A then there exist unique 
canonical A' and M' such that T h A = A' : type and T h M = M' : A' . 

Finally, the canonical forms theorem implies A is a conservative extension of LF in 
the sense that it introduces no new derivable LF judgments. 

Corollary 4.19 (Conservativity). If V h J is an LF judgment over a valid LF signature 
S and is derivable in A™, then T h J is derivable in LF. 

5. Adequacy 

It is a significant concern whether a given signature correctly represents an object language 
we have in mind. This property is often referred to as adequacy in an LF settings |X5|, [6]. 
As in LF, adequacy in A relies upon the existence of (unique) canonical forms. 

In this section, we sketch an adequacy argument for a typical object language, the 
untyped lambda-calculus equipped with an inequality predicate (as shown in the introduc- 
tion). 

Recall the signature given in Figure [TJ The canonical forms of expressions of type e in 
A™ are generated by the grammar: 

Mq,Nq ::= var x j app Mq Nq \ lam (x:e)Mo 

The encoding is defined on object-language terms as follows: 

r x n = var x lit n = app r t n r u~ l r Xx.t~ l = lam (x) r t n 

The main result concerning the correctness of the encoding is: 

Theorem 5.1 (Adequacy of encoding). The encoding function r —~ l is injective and maps 
object language terms t (having free variables Xi, . . . ,x n ) onto the set of canonical forms 
of type e (in context X\:vjj=...jj=x n :v). Moreover, the encoding function commutes with 
renaming, that is, r t[x/y] n = r t n [x/y]. 
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Furthermore, we can reason by inversion on canonical forms to establish that the alpha- 
inequality judgment holds precisely for terms whose encodings are different modulo alpha- 
equivalence: 

Theorem 5.2 (Adequacy of neq). Suppose we have object terms t,u with free variables 
xi, ... , x n . Then t ^ a u if and only if xi:v# . . . #x n :u h V : neq r t~ 1 r u~ 1 is derivable for 
some (canonical) V. 

Proof. The forward direction is straightforward. The reverse direction is proved by induc- 
tion on the canonical form of the proof term T>. One key case is when T> is of the form 
neq-V-V@Xi@Xj. In this case, we must have r i~ l = var Xj and r u~ l = var Xj for some i ^ j, 
since otherwise T> would be ill-formed. Clearly, then t must be Xj and u must be xj which 
are not a-equivalent. 

Another key case is that for T> = neq J J M\ M2 T>' : neq ( r ii n ) ( r t2 n )- In this case, 
we know that r ti~ l = lam M\ and r t<p = lam M2, so t\ = Xx.t[ and ti = Xx.t 2 for some 
x, ti,t' 2 (without loss of generality we can assume the same name x is used for both and 
x is fresh for all other terms). Hence M\ = (x) r t / 1 ~ l and M2 = (x) r t' 2 ~ 1 which means that 
the subderivation V' must have type \Ax.neq (((x) r t^ n )@x) (((x) r £ 2 n )@x). By weakening 
the context to include name x : v and /3-converting, we can see that D'@x must also have 
type neq ( r t'i n ) C"^" 1 )- Moreover, T>'@x must have a canonical form of this type, and so by 
induction we know that i' x ^ a t' 2 . This implies t\ = Xx.t[ ^ a Xx.t' 2 = ^2- D 

6. Extensions and Examples 

In previous work on a simple nominal type theory [5] we discussed extensions such as name- 
comparison operations, lists, datatypes involving name-binding, and recursion combinators 
for defining functions over such datatypes. These extensions were motivated by a denota- 
tional interpretation of SNTT using nominal sets (following |28j). We will not develop a 
denotational semantics of A™ here; however, the topos of nominal sets provides all of the 
necessary structure to interpret dependent types, and it seems clear that the extensions we 
consider can be justified using Schopp and Stark's semantics for a more general nominal 
type theory [371 [35] or using Pitts' approach to recursion in a slightly different nominal type 
theory [301 EI]. 

In this section we recapitulate and generalize extensions for name-comparison, recursive 
function definitions and inductive reasoning in X™ . The computational extensions can eas- 
ily be proved type-sound but do not necessarily preserve the canonicalization or decidability 
properties established earlier; we expect that these extensions would be more relevant to 
intensional type theories where only /3-normalization results are needed. We also discuss 
applications of A™ as a framework for defining logics and for encoding proof terms about 
languages with names and binding. 

Name-comparison. First, we consider a name comparison operation: 

cond a : ({a)) a — >• A — >• (a — >■ ^4) — >• A 

cond a ((x)x) M N ->/3 M cond a ((x)y) M N N y 

This takes a name-abstraction and two additional arguments M : A, N : a — > A. If the 
abstraction is of the form (x)x, we return M , otherwise, if it is of the form (y)x where x/y, 
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we return N x. Note that it would make little sense to allow the type A to depend on x 
since x may not "escape" in the first case. 

Recursion. Now consider the standard nominal datatype encoding of the lambda-calculus 
introduced in the introduction (Figure [Q). This datatype admits an obvious dependently- 
typed recursion principle: 

rec T e ■ (nX-.v.T (var X)) -> 

(UM,N:e.T M N (app M N)) -> 
(UM:((v))e.(V\a:v.T (M@a)) -> T (lam M)) -> 
UMie.T M 

for any T : Tlx : e.type. We also equip ree T e with the obvious rewriting rules for var and 
app, along with 

rec T e V AL (lam F) L({a:v)rec T e V AL (F@a)) 
(provided a ^ FV(V, A, L, F)) for lambda-abstractions. 

6.1. Closure conversion. Closure conversion (see for example pQ) is an important trans- 
formation in functional language compilation. A function is closed if it refers only to its 
argument and locally defined variables, not to variables whose scope began outside the func- 
tion. Closure conversion translates an arbitrary expression to one containing only closed 
functions. There are many ways of doing this, embodying different approaches to managing 
the environment. We consider a simplistic approach in which each function is translated 
to a pair consisting of a closed function and an environment containing all non-local vari- 
able values. We define the translation of a term e that is well-formed in context T and 
environment env as CJT h ejenv, where 

C{T,x \- xjenv = ni(env) 

C{T,x \~ yjenv = C{T h y}ir2(env) 
C[r h ei e 2 jenv = let z = C{T h djenv 

in (tti(z)) (C[r h e 2 jenv,7r 2 (z)) 
C[r h Xx.ejenv = (\y.C{T, x h ejy, env ) 

where x 7^ y in the second equation, z ^ FV(T, e%, e 2 ) in the third, and y FV(r, x, e, eo) 
in the fourth. Note that we include let-bindings here for convenience. 

Example 6.1. As a simple example, consider the closure-conversion of the X-combinator: 

C[r h Xx.Xy.xjenv = (Xx' .C{T,x \~ Xy.xjx' ,env) 

= (Xx' .(Xy' .C{T, x, y h xjy', x'), env) 

= (Xx'.{Xy'.Clr,x\- xj(7T 2 (y')),x'),env) 

= (Xx' .(Xy' .iri(iT 2 (y')),x'),env) 

Closure conversion seems like a natural candidate for encoding in a logical framework, 
because it seems to involve only syntactic manipulation of ordinary A-terms. For example, 
Hannan |12j studied closure conversion algorithms encoded in LF. However, there are some 
subtle issues which seem to complicate formalizing closure conversion in LF. First, if we take 
lam : (exp — > exp) — > exp, there is no explicit case for variables. This can be fixed by making 
sure to add a local hypothesis isjuar(x) for each A-term variable X cLS X IS added to the 
context. This approach is commonly taken in LF developments [7], and is believed correct 
as long as there is no way to construct a term of type is_var(M) where M is not a variable. 
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exp. 

exp — > exp — > exp. 
exp — > exp. 
exp — > exp. 

exp — > ({{id)) exp) — > exp. 



cconv 
cconv _vl 
cconv-v2 

cconv _a 
cconv 2 



list id — > exp — > exp — )• exp — > type. 
cconv [G,X\ (var X) Env (pi\ Env). 
cconv [G, X] (var Y) Env E <— neq X Y 
cconv G (var Y) (pii Env) E. 

cconv G (app E\ E2) Env (let En ((z:id)app (pi\(var(z))) (pair E21 (pi2(var(z)))))) 
cconv G Ei Env En 
cconv G E2 Env E21. 

cconv G (lam F\) Env (pair (lam F2) Env) 
V\x.V\y .cconv [G,x] (Fi@x) (var y) (F 2 @y). 



Figure 16: Closure conversion translation 



list_o — > o — >• type. 

pf (G@x) (box (x := T@x) (P@x)) <r- (V\y.v.pf [G@x,var y = T@x] (P@y)). 
pf (G@x) (Q@x) 

p/ (G@x) (&ox (x := T@x) (P@x)) ^ (V\y.v.pf [G,var y = T@x,P@y] (Q@x)). 



Figure 17: Representative inference rules of dynamic logic 



Alternatively, we could adopt a weaker encoding in which lam : (var — > exp) — )• exp, thus 
foregoing the benefits of built-in capture-avoiding substitution. 

Second, however, in LF we cannot directly test variables for equality. Hannan |12| 
neither presented a concrete LF encoding nor discussed how to overcome these obstacles. 
Using Crary's technique [7], we can test inequality among variables by tagging variables 
with distinct numerical tags, but this requires modifying all predicates in which inequality 
testing might be needed (see the discussion in the next section). 

In A™ , we can define closure conversion directly as a relation, as shown in Figure[16j We 
use a definable type of lists of identifiers list_id, and define syntax for pairing, projection, 
and let. The variable inequality side-condition on the case for different variables x, y is 
handled using neq. The rest of the translation is straightforward. 



6.2. Dynamic logic. Dynamic logic (DL) [13] is a generalization of program logics such 
as Hoare logic. In DL, besides ordinary propositional connectives and quantifiers, there is 
a syntactic class of programs a, and a modal connective [a]<p. Such a formula has the in- 
tended interpretation, "After any terminating execution of program a, <p necessarily holds" . 
Programs can in general be nondeterministic or nonterminating, so [a](p is trivially true if a 
diverges; on the other hand, [a](p does not hold if there is a possible terminating execution 
of a in a state not satisfying (p. Thus, a DL formula eft [a]^ has the same meaning as a 
Hoare logic partial correctness assertion {(p}a{^}. 
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An important, but counterintuitive, aspect of dynamic logic is that variables are used 
both for quantification and as assignment targets in programs. As a result, it does not make 
sense to substitute an expression for a variable name x everywhere in its scope, because 
it might occur on the left-hand side of an assignment, and it would not make sense to 
substitute an expression there. For example, \/x.[x := 0](x = 0) is a well-formed (and valid) 
formula of DL, but [1 := 0]1 = 0, the result of substituting a non-variable such as 1 for x, 
is nonsense. 

Proof rules for the assignment operation x := t are challenging to encode in a logical 
framework. Honsell and Miculan [16] considered a natural deduction formulation of DL 
implemented in Coq. Their proof system included the following inference rules to deal with 
assignment: 

T,y = t\-<l>\y/x] (y^FV(T,^t)) 
r h [x := t](f> 

T\-[x:=t]<l> T,y = t,(b[y/x]hTP (y £ FV(T^,^,t)) 

The main obstacle to encoding dynamic logic using higher-order abstract syntax is that 
there is no easy way to talk about distinct or fresh object variable names. To deal with the 
freshness side conditions, Honsell and Miculan adapted a technique introduced for encoding 
Hoare logic in LF by Avron, Honsell, Mason, and Pollack [201 [2]. In this technique, explicit 
judgments isin : ILT:type.v — > T — > type and isnotin : nT:type.t> — > T — >■ type are 
introduced to encode the property that a variable name occurs free in (does not occur free 
in) an object of type T (an expression, formula, program, etc.). Both LF and Coq encodings 
are verbose and require explicit low-level reasoning about name occurrences, freshness, and 
inequality. 

In A™, using names and dependent name types, we can encode the problematic infer- 
ence rules as shown in Figure [T71 Again, we use a definable type of lists of formulas list-0 
for the hypotheses V. 

Here, we have taken an approach that represents the context explicitly as part of the 
judgment, that is, pf : list_o — > o — > type. An alternative approach to encoding hypothetical 
judgments, usually preferred in LF, is to encode only the conclusion via a predicate pf : 
o — > type and then use local pf assumptions to represent local hypotheses. 

assignl' : pf {box (x := T@x) (P@x)) 

(V\y:v. (pf (var y = T@x)) pf (P@y)). 

assignE' : pf (Q@x) 

<- {pf (box (x := T@x) (P@x))) 

<- (V\y.v.(pf (var y = T@x)) pf (P@y) -)• pf (Q@x)). 

This appears correct for A™ as presented in this article. However, if we read these types as 
nominal logic formulas then their meaning does not correspond to the judgments we want 
to encode. The reason is that nominal logic satisfies an equivariance property, which is 
not explicitly reflected in A™. Equivariance states that the validity of any proposition is 
preserved by applying a name-permutation to all of its arguments. In a type theory, this 
can be represented by introducing a swapping term tt • M such that (roughly speaking) if 
T \- M : A then r h tt • M : ir • A. (This is done, in a simple type theory, for Pitts' Nominal 
System T [30\ 13 lj . discussed in the next section.) Representing hypothetical judgments 
using local implications is incorrect in full nominal logic because equivariance can be used 
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to break the connection between names in T and names in the conclusion; to avoid this, 
local assumptions have to be made explicit as an argument of the judgment. Because we 
view adding additional features of nominal logic (such as swapping/equivariance) to A™ 
as an important next step, we prefer to give an example that appears robust in the face of 
these extensions. In addition, using this approach we cannot hope to use nominal recursion 
or induction principles over proofs, because of the negative occurrences of pf. 

Another alternative would be to represent hypotheses using l/l-quantification or name- 
abstraction: 

assignl" : (pf (box (x := T@x)(P@x))) 

<- (\Ay.v. {{pf (var y = T@x)))pf (P@y)). 

assignE" : pf (Q@x) 

<- (pf (box (x := T@x) (P@x))) 

<- (lAy.v. ((pf (var y = T@x)))((pf (P@y)»p/ (Q@x)). 

Doing this would avoid the non-positivity issue, but would still have the other drawbacks 
of the ordinary local hypotheses approach discussed above. It would also require allowing 
name types to depend on values (including other names); we could do this by making name 
into a first-class kind. However, this poses both conceptual and practical problems. The 
conceptual problem is that name-types are usually interpreted as infinite sets of swappable 
atoms, which are not mixed with ordinary values. At a semantic level, it is not clear what 
we mean by abstracting by an ordinary data type or judgment (however, Schopp's study [36] 
of nominal set semantics for Miller and Tiu's logic of generic judgments [22] may offer a 
solution). The practical problem is that if name-types can depend on other names, then the 
context restriction operation T h a:a \ V needs to remove not only all variables introduced 
after a, but also all variables or names whose type depends on a. This seems workable, 
but makes the system considerably more complex, while it is not yet clear that the extra 
complexity is justified by applications. We view extending name-types to a first-class kind 
to be an important area for future work. 

7. Comparison with related systems 

7.1. LF. We argued earlier that the intuitive definition of alpha-inequality cannot be trans- 
lated directly to LF. This is a somewhat subjective claim. At a technical level, the issue 
is that in LF, object-language variables are represented as meta-language variables, which 
cannot be compared directly for (in)equality. That is, we cannot simply translate the rule 

var(x) ~/~ a var(y) 

directly to LF in a compositional way. A naive attempt to represent this rule by declaring 
a type constant such as 

a : Hx:a.Hy:a.neq x y. 

is clearly wrong since this defines the total relation on expressions. The following proposition 
shows that there is no way to translate name-inequality to a binary predicate in LF that 
works correctly in all contexts: 
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exp : type . 

lam : (exp -> exp) -> exp. 
app : exp -> exp -> exp. 

nat : type . 

z : nat . 

s : nat -> nat . 

neq : nat -> nat -> type . 

- : neq (s X) z. 

- : neq z (s _) . 

- : neq (s N) (s M) <- neq N M. 

bvar : exp -> nat -> type . 

aneqi : nat -> exp -> exp -> type . 

- : aneqi N X Y <- bvar X MX <- bvar Y MY <- neq MX MY. 

- : aneqi N (app El E2) (app E3 E4) <- aneqi N El E3. 

- : aneqi N (app El E2) (app E3 E4) <- aneqi N E2 E4. 

- : aneqi N (lam El) (lam E2) <- 

({x : exp} bvar X N -> aneqi (s N) (El x) (E2 x) ) . 

- : aneqi N X (app _ _) <- bvar X _. 

- : aneqi N X (lam _) <- bvar X _. 

- : aneqi N (app _) X <- bvar X _. 

- : aneqi N (lam _) X <- bvar X _. 

- : aneqi N (app _ _) (lam _) . 

- : aneqi N (lam _) (app _ _) . 

aneq : exp -> exp -> type . 

aneq_i : aneq El E2 <- aneqi z El E2 . 

Figure 18: Alpha-inequivalence in LF 

Proposition 7.1. Let £ be an LF signature, t : type a constant type in £ and r : t — > 
t — » type be a constant in S. Then whenever T,x:t,y:t,V h M : r x y is derivable for two 
different variables x,y, the judgment T,x:t,T'[x/y] h M[x/y] : r x x is also derivable. 

Proof. Direct using substitution. □ 

This implies that if we want to define relations involving variable inequality, we need to 
ensure that there are appropriate hypotheses in T that can be used to prove that variables 
introduced at different binding sites are distinct. For example, using Crary's technique of 
adding natural number labels for bound names as they are introduced in the context [7] , we 
can implement alpha-inequivalence as shown in Figure [IBJ (A similar encoding is possible 
using weak higher-order abstract syntax techniques, as in the Theory of Contexts [17].) 

Clearly it is a subjective question whether the other advantages of LF outweigh the extra 
effort needed to encode judgments that do involve name-inequality. In this article, our goal 
has been to explore the alternative offered by nominal abstract syntax in a dependently- 
typed setting, not to propose a replacement for LF. 
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7.2. Schopp and Stark's dependent type theories. Schopp and Stark introduced de- 
pendent type theories that capture the topos-theoretic semantics of nominal sets. (The cat- 
egory of nominal sets is isomorphic to the Schanuel topos, known from sheaf theory [18]). In 
particular, they consider both ordinary and "fresh" dependent product spaces, dependent 
sums, and a "free from" type of pairs (a, M) where a is a name fresh for M. The "fresh" 
versions of these types quantify over objects whose names are fresh for the current context; 
these generalize the fresh-name quantifier l/l. The type theory is based on using bunched 
contexts (derived from the Logic of Bunched Implications). 

Schopp and Stark's systems are very expressive: they can express recursive functions 
over nominal abstract syntax, as well as proofs by induction, as outlined earlier in this 
article. But they also appear quite difficult to use in an automated system. In particular, 
there are no results on strong normalization or decidability of equivalence and typechecking 
for these systems, and it does not seem easy to adapt standard results because of the use 
of bunched contexts. The results in this paper can be seen as a first step in this direction, 
focusing on a simple subsystem of theirs which captures at least some of the expressiveness 
of nominal abstract syntax. 

7.3. Nominal System T and related systems. Pitts' Nominal System T [30j [31] is 
a simply-typed calculus that is also an attractive starting point for a dependent nominal 
type theory. In contrast to SNTT or A™, it has ordinary (non-bunched) contexts and also 
supports explicit name-swapping and locally-scoped names. Unfortunately, these features 
interact with dependent types in complex ways, making it non-obvious how to extend Nomi- 
nal System T to a dependent type theory. In this section, we give an example that highlights 
the problem^- We give only the description of the problem, not a full formalization of a 
putative "Dependent Nominal System T." 

Consider a dependent version of Nominal System T with dependent pair types T,x:A.B 
with the usual introduction and elimination rules: 

r h M : A r h N : B[M/x] V h M : Y>x:A.B T,x : A,y: B h N : B' 
r h (M, N) : Ex:A.B r h unpack (x,y) = M in N : B' 

In Nominal System T, the i/-binder can be pushed down through pair constructors so it is 
natural to expect that ua.{M,N) and (va.M,va.N) should be definitionally equal. But if 
so, then for subject reduction to hold, given a derivation of 

T,a:ahM:A T,a : ah N : B[M/x] 
r,a : a h (M,N) : T,x:A.B 
T h va.{M,N) : T,x:A.B 

we should also be able to derive 

r h va.M : A T h ua.N : B[va.M/x] 
r h (va.M,va.N) : T,x:A.B 

The first hypothesis follows immediately from r , a : a h M : A, but it is not obvious how 
to obtain the second from T, a:a h N : B[M/x]. 

This argument certainly does not show that it is impossible to extend Nominal System 
T to a dependent type theory (doing so appears straightforward if we limit ourselves to 
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LT-types), just that to develop further extensions we may need to be very careful about how 
name-restrictions interact with dependent types. 

8. Conclusions 

We have proposed a dependent nominal type theory, called A™. We can represent name- 
inequality directly in A™, but on the other hand must be more explicit about contexts 
and substitution. We also showed that (recursion-free) A™ shares the good metatheoretic 
properties of the LF type theory, particularly decidability of equivalence and typechecking 
and existence of canonical forms. 

There are several directions for future work. The main syntactic properties of the 
simply- typed fragment have already been verified using Nominal Isabelle/HOL [5j. We 
would also like to relate our approach to other techniques [27l [32j [191 [41] and further develop 
the foundations needed for incorporating nominal reasoning into richer type theories such 
as CIC, particularly the metatheory of recursion principles and locally-scoped names over 
nominal abstract syntax. 
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